Re: [Detnet] Flow Identification in IPv6

Toerless Eckert <tte@cs.fau.de> Tue, 09 March 2021 17:05 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 182203A13ED; Tue, 9 Mar 2021 09:05:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.869
X-Spam-Level:
X-Spam-Status: No, score=-0.869 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-fvfGEhpVvK; Tue, 9 Mar 2021 09:05:13 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E74E3A13AA; Tue, 9 Mar 2021 09:05:13 -0800 (PST)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 8970654802F; Tue, 9 Mar 2021 18:05:05 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 816CE440166; Tue, 9 Mar 2021 18:05:05 +0100 (CET)
Date: Tue, 9 Mar 2021 18:05:05 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Tom Herbert <tom@herbertland.com>, "Yangfan (IP Standard)" <shirley.yangfan@huawei.com>, DetNet WG <detnet@ietf.org>, 6man WG <ipv6@ietf.org>, "draft-geng-6man-redundancy-protection-srh@ietf.org" <draft-geng-6man-redundancy-protection-srh@ietf.org>
Message-ID: <20210309170505.GA63862@faui48f.informatik.uni-erlangen.de>
References: <CA+RyBmW9XCwSmsrm291GgdRV1UivNzO7m8b1AYWkCDkfDT61jA@mail.gmail.com> <3fdc1006788e47e59cfb8dcc03e9bce6@huawei.com> <CALx6S34CunfW=69YdGn2Yu1+B-dPps_uJg7sMPmfoii7Yn2Bpw@mail.gmail.com> <9ff8cb12-d23d-74c2-fea7-900d1d4e2974@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <9ff8cb12-d23d-74c2-fea7-900d1d4e2974@gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/wN-H-ubvg5rZEzmhggPRlUQr5E0>
Subject: Re: [Detnet] Flow Identification in IPv6
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2021 17:05:16 -0000

How about taking a bit from the "reserved" field in the draft
to indicate if/when the IPv6 header flow label is being used
as the flow identification field. That would make using the flow
label field an option for the operator to decide.

For example, i could see not wanting to use the flow label field
if it's pushed down from encapulated IPv6 traffic and used already
for some other purpose than PREOF.

Cheers
    Toerless

On Tue, Mar 09, 2021 at 05:03:22PM +1300, Brian E Carpenter wrote:
> On 09-Mar-21 05:31, Tom Herbert wrote:
> > On Mon, Mar 8, 2021 at 2:38 AM Yangfan (IP Standard)
> > <shirley.yangfan@huawei.com> wrote:
> >>
> >> Hi Greg,
> >>
> >> Literally speaking, IPv6  Flow Label could be used to identify a specific flow needing redundancy protection in SRv6 data plane. But I may have concerns that flow label cannot be protected to be unmodified en route. A modified flow label can be a disaster for the traffics  which are seeking for deterministic forwarding, not only this flow, also affecting other flows using redundancy protection. And with several security issues mentioned in RFC6437, I doubt if it is a good idea to user IPv6 Flow Label.
> >>
> >> Just my 2cents opinion, how do you and other people see it?
> >>
> > 
> > If this is to be used in a SRv6 domain which is itself a limited
> > domain, then I think the problems you mention aren't as much of a
> > concern since flow label would be used in a controlled environment.
> > The upside of using flow label is that it's already in the IPv6
> > header, it can be consumed by non-SRv6 devices, and putting the same
> > information in TLVs incurs the overhead and cost of processing TLVs in
> > the critical datapath.
> 
> The main downside is that it cannot convey any semantics and there is
> a rule about how its value is created. It's no more at risk of being
> modified than any other unauthenticated header field, so I agree that
> within an SRV6 domain malicious modification doesn't seem like a
> big risk. An attacker who could do that could do any kind of damage
> they wanted.
> 
> Regards
>     Brian
> 
> 
> > 
> > Tom
> > 
> >>
> >>
> >> Regards,
> >>
> >> Fan
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> ?????????: Greg Mirsky [mailto:gregimirsky@gmail.com]
> >> ????????????: 2021???3???7??? 4:20
> >> ?????????: draft-geng-6man-redundancy-protection-srh@ietf.org
> >> ??????: 6man WG <ipv6@ietf.org>rg>; DetNet WG <detnet@ietf.org>rg>; Greg Mirsky <gregory.mirsky@ztetx.com>
> >> ??????: Flow Identification in IPv6
> >>
> >>
> >>
> >> Dear Authors,
> >>
> >> thank you for bringing your proposal to the discussion. I agree with your view that the explicit routing enabled by SRv6 creates an environment where PREOF can be used. And, as we know, The PREOF may be used in a DetNet domain to lower packet loss ratio and provide bounded latency.
> >>
> >> After reading the draft, I've got a question for you. What do you see as the difference between the IPv6 Flow Label per RFC 6437 and the Flow Identification field in the TLV proposed in the draft? Could the IPv6 Flow Label be used to identify the flow for the PREOF?
> >>
> >>
> >>
> >> Regards,
> >>
> >> Greg
> >>
> >> --------------------------------------------------------------------
> >> IETF IPv6 working group mailing list
> >> ipv6@ietf.org
> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> --------------------------------------------------------------------
> > 
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
> > 
> 
> _______________________________________________
> detnet mailing list
> detnet@ietf.org
> https://www.ietf.org/mailman/listinfo/detnet

-- 
---
tte@cs.fau.de